Capability-Based Process Protection

Capability-Based Process Protection is best explained through an example. Assume two processes: process A and process B. For process A to send a signal to some other process B, Linux requires either A to be a superuser owned process or A and B to be owned by the same user. As some signals can be potentially fatal for the receiving process this simple policy was not acceptable to LinSec primarily as root user should not be allowed to terminate system services that are running with uid of 0 (root) in Linux. Rather than change the whole process ownership philosophy of Linux, which would certainly break the compatibility between platforms and which would violate POSIX 1003.1 set of standards, the LinSec solution is to introduce a set of capabilities to be used in controlling how signals are sent and received. The solution does not replace the current mechanisms, it builds up on them. The introduced capabilities and their meanings are:

• CAP_PROC_PROTECTED: process that has this capability in its effective capability set will not receive any signals unless the sending process has CAP_PROC_GOD capability in its effective capability set.
• CAP_PROC_UNKILLABLE: process with this capability in its effective capability set will not receive fatal signals 2, 3, 9 and 15 unless the sending process has CAP_PROC_GOD in its effective capability set.
• CAP_PROC_GOD: process that has this capability in its effective capability set can send signals to processes with CAP_PROC_PROTECTED and CAP_PROC_UNKILLABLE capabilities in their effective capability set.

Furthermore, in some cases it might prove valuable to hide certain process related information, or even a whole processes, from the eyes of users. Examples of desired invisible processes are various system monitoring programs or intrusion detection systems. For this purpose two more capabilities are introduced by LinSec:

• CAP_PROC_HIDDEN^4.6: processes with this capability in their effective capability sets are not listed in /proc and are therefore invisible to system utilities like ps, top etc.
• CAP_NET_HIDDEN: data about INET network connections using TCP, UDP or raw IP of processes having this capability in their effective capability sets are omitted from /proc. Therefore, utilities like netstat etc. do not list the network info for the processes.

Footnotes

... CAP\_PROC\_HIDDEN^4.6

/proc represents standard mount point for Linux proc file system. Proc is a virtual file system that has a role of kernel -- userspace interface. Its main role is to provide system status information to userspace programs.